genadipost/foreman_ad_sso.md

## foreman_ad_sso.md

      
    Raw
  

              foreman_ad_sso.md
            
          
    This script installs and configures Foreman with Active Directory integration

What the script does:


Configures Active Directory as its name resolver
Using sssd and realmd the rhel server joins the AD domain (DNS record, computer account, host SPN created in the AD)
Using samba, HTTP spn is created in AD and a keytab that contains the HTTP principal
Foreman is installed with IPA/AD support, SSO is configured

Sources


https://theforeman.org/manuals/1.15/index.html#5.7ExternalAuthentication
https://access.redhat.com/documentation/en-US/Red_Hat_Satellite/6.1/html/User_Guide/sect-Red_Hat_Satellite-User_Guide-AD_direct.html
https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Windows_Integration_Guide/realmd-domain.html
https://theforeman.org/manuals/1.15/index.html#5.7.3KerberosSingleSign-On
https://theforeman.org/manuals/1.15/index.html#5.7.5Populateusersandattributes

Notes:


The script should be converted to Ansible Playbook
Because of a bug (bugzilla 1271618) realm join has to run with --membership-software=samba

yum -y install https://yum.puppetlabs.com/puppetlabs-release-pc1-el-7.noarch.rpm; \
yum -y install http://dl.fedoraproject.org/pub/epel/epel-release-latest-7.noarch.rpm; \
yum -y install https://yum.theforeman.org/releases/1.15/el7/x86_64/foreman-release.rpm; \
yum -y install foreman-release-scl; \
yum -y install foreman-installer; \
nmcli con mod ens33 ipv4.dns "192.168.227.147,192.168.227.2"; \
nmcli con mod ens33 ipv4.dns-search "test.local"; \
nmcli general hostname foreman1; \
systemctl restart systemd-hostnamed; \
systemctl restart network; \
systemctl stop firewalld; \
systemctl disable firewalld; \
yum -y install gssproxy sssd adcli realmd samba-common-tools ipa-python; \
echo password | realm join -v test.local --membership-software=samba; \
echo '[global]
   server = unused
   realm = TEST.LOCAL' | tee /etc/ipa/default.conf; \
echo '[global]
   workgroup = TEST
   realm = TEST.LOCAL
   kerberos method = system keytab
   security = ads' | tee /etc/net-keytab.conf; \
KRB5_KTNAME=FILE:/etc/gssproxy/http.keytab net ads keytab add HTTP -U Administrator%password -d3 -s /etc/net-keytab.conf; \
chown root:root /etc/gssproxy/http.keytab; \
sed  -i '1i includedir /var/lib/sss/pubconf/krb5.include.d/' /etc/krb5.conf; \
mkdir -p /etc/httpd/conf/; \
touch /etc/httpd/conf/http.keytab; \
foreman-installer --foreman-proxy-dhcp=false --foreman-proxy-tftp=false --foreman-ipa-authentication=true; \
echo '.include /usr/lib/systemd/system/gssproxy.service
[Service]
Environment=KRB5RCACHEDIR=/var/lib/gssproxy/rcache' | tee /etc/systemd/system/gssproxy.service; \
systemctl daemon-reload; \
systemctl restart gssproxy.service; \
systemctl enable gssproxy.service; \
echo '.include /lib/systemd/system/httpd.service
[Service]
Environment=GSS_USE_PROXY=1' | tee /etc/systemd/system/httpd.service; \
systemctl daemon-reload; \
systemctl restart httpd.service;